Archive

We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.

The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.

“Brands” or aliasesCommon strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.

System Defragmenter

Smart HDD

Scanner

Check Disk

Win Defragmenter

Full Scan

Win HDD

Win Defrag

HDD Scan

HDD Plus

Win Defragmenter

HDD Diagnostics

HDD Low

Quick Defragmenter

HDD Repair

HDD Tools

Smart Defragmenter

Win Scanner

HDD Doctor

HDD Defragmenter

Quick Defrag

HDD Rescue

Scan Disk

HDD Fix

Disk Doctor

HDD Control

Memory Fixer

Disk Repair

Hard Drive Diagnostic

My Disk

Easy Scan

Disk Ok

Fast Disk

HDD Ok

Disk Optimizer

Memory Optimizer

Good Memory

Memory Scan

Windows Scan

Disk Recovery

Win Disk

WinScan

The PackersFakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.

The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:

The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:

The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:

New variant?Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.

For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:

Figure 2 – Various branding for FakeSysdef

This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):

Figure 3 – New FakeSysdef GUI

The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.

It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.

The LoaderThe main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:

The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes. After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:

<site>/404.php?type=stats&affid=487&subid=new05&awok

As of this writing, the associated site “findcopper.org” and URL requested is no longer available.

Scaring the userThe DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.

FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:

It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:

This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.

The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.

The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.

Rogue Call-back and Affiliate Sign InThis trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:

At least one of the sites involved allows the malware affiliate to log on as displayed below:

Figure 6 – Example of the affiliate logon portal

RemediationThere is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.

The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site http://support.microsoft.com/ or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).

ConclusionDespite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months. The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. — suggest that the scammers are using a toolkit or builder to compile new releases.

Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.